While JPMorgan Chase took immediate steps in the wake of the breach, replacing some 2 million debit cards in December, the New York Times reports that Citi waited until now to issue the replacement cards so as to minimize the potential havoc that could have been caused by changing millions of card numbers in the middle of the holiday shopping (and subsequent return) season.
Citi claims that the decision to replace these cards is precautionary and is not tied to any increase in fraudulent activity.
Neither Chase nor Citi have announced any intention to replace affected credit cards. Federal laws offer a higher level of protection to credit card users than they do to debit cards.
If an ID thief were to get a debit cardholder’s account number and PIN, he could create a duplicate card and begin withdrawing cash directly from that customer’s checking account. Even though some banks have minimal or zero liability policies on such fraudulent transactions, it can take quite some time for that stolen money to be reinstated to the customer’s account.
Target initially denied that PIN information was stolen during the breach, but it later confirmed that encrypted PIN info was indeed stolen. The thieves will need a key to break that encryption and access the PINs. Target insists that key was not part of the massive data breach.
No other major banks or card issuers have taken any action to replace debit or credit cards.